Other Ways To Connect

Thursday, April 4, 2013

SafelyFiled raises the bar with multiple layers of authentication

Passwords are used everywhere, but they have their limitations.  SafelyFiled has just improved security with the addition of multi-factor authentication.


In previous blogs (see Password Frustration and Password Perils), we've expressed some of the limitations of passwords.  For better or worse, passwords are the current state-of-the-practice web service authentication, but they are vulnerable to attack and not very adaptable.   Once an attacker has figured out your password, there is no way for the service that relies only on passwords to distinguish between the attacker using your password, and you using your password.


Adding Multiple Forms of ID

Multi-factor authentication can strengthen the authentication process by requiring multiple forms of ID.  Even if attackers have figured out your password, they may not be able to provide the second (and third) forms of ID.  Some security-sensitive web applications, e.g. banks and financial institutions, provide multi-factor authentication.  With our update this week, SafelyFiled now also provides its members with the option of multi-factor authentication.
May I see your ID, please?
Image credit: janmika / 123RF Stock Photo

In SafelyFiled, one form of authentication is the password and the other is a one-time access code that is sent either to your registered mobile phone number or email address.  If the attacker has figured out your password, he would still need to access your mobile phone or your email account to acquire the access code for the current login session.  This greatly increases the difficulty of  a successful attack.

Intelligent Authentication

Ideally your web application should be able to identify riskier authentication scenarios, and require multiple types of authentication in those situations.  This is like when you go to your local grocery store, the cashier recognizes you and doesn't ask for additional identification when you write a check.  But if you visit a grocery store on vacation, the cashier has never seen you before and will ask for additional identification before accepting a check from you.

With SafelyFiled you can select "Public-only" multi-factor authentication to do something similar.  If you login to SafelyFiled from a machine address that SafelyFiled hasn't seen you use before or from a machine address that you have indicated is public (like a computer at the library), then SafelyFiled will require that you enter the access code it has sent to your mobile phone or email address.  If you login from your home machine where you have logged in from many times before, SafelyFiled will not prompt you for an additional access code.  This gives you the additional safety of multi-factor authentication in riskier cases, but gives you the convenience of password-only access when logging in from a physically safer environment.

Multi-factor Options in SafelyFiled

From the "Manage Security" page, you can adjust how multi-factor authentication works for you.  The initial default stance is to "Never require access code".  We will likely change the default stance to "Only require access code for access from public machines" at some point in the future.
The controls for multi-factor options on the Manage Security page in SafelyFiled.
In addition to setting the overall policy, you can control whether the access code will be sent to your registered mobile phone or to your email address.  You can also adjust whether the address you are logged in from is public (and not to be trusted) or private (will only be used by you).  When you enter your access code from the login window, you can also click on the checkbox to indicate that the current address is to be private (or trusted) in the future.

Take advantage of Multi-factor Authentication

We strongly encourage you to signup for the "Only require access code for public machines" option.  This gives you increased protection from attackers, and has a reasonable ease of use trade-off.

Also review your other sensitive web services like bank and investment sites.  They probably have multi-factor authentication options.  Review what they offer and be sure that you take advantage of the increased security of more advanced authentication.

Show Comments: OR